RBI Payment Gateway License in India

A Payment Gateway License, issued by the Reserve Bank of India (RBI) under Section 5 of the Payment and Settlement Systems (PSS) Act, 2007, is a mandatory authorization for any business that wants to operate a system for processing online payments. This license permits the entity to securely transmit transaction information between the customer, the merchant, and the respective banks.

In simple words, it lets a business offer online payment services by safely connecting buyers and sellers for money transfers. Payment Gateways (PGs) that do not handle funds directly but only provide the underlying technology do not need a Payment Aggregator (PA) license. However, they must partner with an RBI-licensed Payment Aggregator and comply with RBI’s regulations.

Law Governing Payment Gateway License in India

To operate a payment gateway or act as a payment aggregator in India, businesses must comply with regulations set by the RBI and follow key financial, data, and IT laws. These ensure secure transactions, proper customer verification, and protection of sensitive information.

• Payment and Settlement Systems Act, 2007: Governs and authorizes all payment systems in India under the RBI’s control.
• RBI Guidelines for Payment Aggregators and Gateways (2020): Mandates licensing, capital norms, and compliance standards for non-bank entities.
• Information Technology Act, 2000: Ensures the legal validity and security of electronic transactions and records.
• Prevention of Money Laundering Act (PMLA), 2002: Imposes mandatory KYC and anti-money laundering checks on financial intermediaries.
• Digital Personal Data Protection (DPDP) Act, 2023: Regulates how personal data is collected, stored, and processed by digital platforms.
• PCI-DSS Standards (Industry Standard): Requires secure handling and storage of card payment data to prevent breaches.

A Payment Gateway License in India ensures legal compliance, enhances security, and enables smooth digital transactions. It helps businesses build trust, offer multiple payment options, and expand their market reach.

• Enhanced Security and Trust: The license mandates PCI-DSS compliance, ensuring you handle user data securely and building credibility with customers and partners.
• Legal Authority to Operate: The license provides the legal foundation to build and offer advanced payment solutions, including white-label wallets and integrated API platforms.
• Fraud Screening Tools (FST): Licensed payment gateways offer tools like Card Code Value (CCV), Address Verification Service (AVS), and Card Verification Value (CVV) to detect and prevent fraud, helping secure users' personal and financial data.
• One-Stop Solution: A payment gateway acts as a single platform that connects different digital tools like shopping carts, e-commerce platforms, and software systems through one simple API integration.
• Access to the Financial Ecosystem: An RBI license is essential for establishing direct partnerships with multiple banks and card networks, allowing you to offer a wide array of payment options (credit/debit cards, UPI, etc.).
• Market Expansion Opportunities: The RBI-issued payment gateway license enables businesses to process international payments, helping them grow their reach beyond India and enter global markets.

Once a customer places an order on an online platform, the payment gateway goes through a series of steps to complete the transaction securely and smoothly.

1. Encryption

In the first step, the user's browser encrypts the payment details that need to be sent. The payment gateway then securely transfers this encrypted transaction data to the assigned payment processor.

2. Request for Authorization

Once the payment processor receives the data, it sends it to the relevant card network (like Visa or MasterCard). The card-issuing bank then reviews the transaction and either approves or declines it based on the available balance and other checks.

3. Authorization and Confirmation

If the transaction is approved, the payment gateway receives the authorization from the bank. This is then sent to the merchant’s website to confirm the order and complete the payment process successfully.

4. Fund Settlement

Once the transaction is authorized, funds are settled to the merchant's bank account as per RBI's guidelines, typically within T+1 (next business day) or T+0 (same-day) timelines, depending on the arrangement with the Payment Aggregator or bank.

Payment Gateway vs. Payment Aggregator

In India’s digital payment ecosystem, Payment Gateways (PGs) and Payment Aggregators (PAs) work closely together but serve different roles. Understanding the difference is crucial, especially for businesses planning to enter the fintech or e-commerce space.

To apply for a Payment Gateway License in India, the applicant must meet the following basic requirements:

• The company must be registered under the Companies Act, 1956 or 2013.
• There should be at least 2 members in the company.
• The company must have a minimum of 2 directors.
• Valid address proof of the business is required.
• A detailed 5-year business plan must be prepared and submitted.
• The company should have a current bank account in its name.
• A system flow diagram and code testing report from a certified software testing agency must be provided.
• The company should have a Service Tax Registration Number (now covered under GST).
• It must follow the PCI DSS (Payment Card Industry Data Security Standard) for data security.

Minimum Net Worth Requirement

To obtain a Payment Aggregator (PA) license from the RBI, entities must meet the following net worth criteria:

• Initial Net Worth: The applicant must have a minimum net worth of Rs. 15 crores at the time of application.
• Increased Net Worth within 3 Years: This net worth must be increased to Rs. 25 crores within three years of commencing operations as a licensed Payment Aggregator.

If you’re a business owner planning to apply for an RBI license to operate a payment gateway in India, here are the important technical and security requirements you need to know:

PCI Audit and Final Certification Process

To become PCI DSS compliant, payment gateway operators must undergo a structured audit process. This involves identifying gaps, mitigating risks, reviewing policies, and completing a final assessment for certification.

• PCI DSS Scoping and Gap Assessment: Identify areas that don’t meet PCI DSS standards.
• PCI DSS Risk Assessment: Evaluate and document security risks.
• PCI DSS Policy & Procedure Review: Review and update all security-related policies and procedures.
• PCI DSS Final Audit and Certification: Final security audit to confirm compliance.
• Report Attestation and Issuance: Includes AOC (Attestation of Compliance), ROC (Report on Compliance), and COC (Certificate of Compliance).

Security Testing & Documentation

Security testing ensures the payment system is free from exploitable vulnerabilities. This stage involves assessments, simulations, and documentation.

• Template Sharing: Use standard templates for reports and documentation.
• Application Security Testing: Test applications for security vulnerabilities.
• Secure Code Review: Review the source code for security flaws.
• ASV Scans: Conduct regular external vulnerability scans on all public-facing IP addresses using a PCI-approved vendor (ASV).
• Internal Vulnerability Assessment: Regularly scan internal network systems and IPs to identify and remediate vulnerabilities.
• Penetration Testing (Internal and External): Simulate real-world cyberattacks to evaluate system resilience.
• External Penetration Testing: Ethical hacking attempts on 5 external IPs to assess public-facing system vulnerabilities.
• Internal Penetration Testing: Simulated attacks on 10 internal IPs to test internal defenses and detect potential insider threats.
• Network Architecture Documentation: Prepare a network diagram showing all components.

Security Policies to Maintain

To meet RBI guidelines and ensure secure operations, payment gateway operators must implement the following security policies:

• Antivirus Policy: Guidelines for deploying and maintaining antivirus software across all systems.
• Firewall Configuration Policy: Rules for setting up, monitoring, and maintaining firewalls to protect network boundaries.
• DMZ and Internal Policy: Security controls for systems located in the Demilitarized Zone (DMZ) and internal network zones.
• Patch Management Policy: Regular updating of all software and operating systems to fix vulnerabilities.
• Database Access Policy: Strict rules and user roles for accessing and modifying database systems.
• Asset Inventory Policy: Maintain a detailed and updated inventory of all IT hardware and software assets.
• Change Control Policy: A documented process to evaluate, approve, and track system and infrastructure changes.
• Data Retention and Disposal Policy: Define how long data is retained and outline secure data disposal procedures.
• Physical Security Policy: Measures to prevent unauthorized physical access to data centers, servers, and critical hardware.
• Data & Access Control Policy: Define and restrict data access based on user roles and job responsibilities.
• PCI DSS Awareness Training: Regular training for employees to stay updated on PCI DSS compliance requirements.
• Cyber Security Incident Response Policy: A predefined action plan to identify, respond to, and recover from cybersecurity incidents.
• Password Policy: Enforce strong password creation rules and periodic password updates.
• Security Logs and Events Policy: Monitor and maintain logs of system activities, access, and alerts to detect anomalies.

Infrastructure Setup Requirements

A secure and well-maintained IT infrastructure is essential for PCI DSS compliance and ongoing payment operations.

• Database Hardening: Strengthen database security settings.
• DMZ & Internal Zone Configuration: Proper setup of external and internal network zones.
• Operating System (OS) Hardening: Secure the operating systems in use.
• Central Antivirus Server: Install and manage antivirus from one central server.
• Regular Patch Updates: Ensure all systems are up-to-date.
• NTP Server: Set up a server to sync time across systems.
• Multi-Factor Authentication (MFA) System: Enhance login security with MFA.
• VPN Setup: Secure remote access using a Virtual Private Network (VPN).
• File Integrity Monitoring (FIM) Server: Detects changes to files in real-time.
• Firewall Rules: Define security rules for your firewall settings.

With the rapid growth of digital payments in India, setting up a payment gateway has become a key requirement for businesses dealing in online transactions. However, to legally operate a payment gateway, businesses must first obtain authorization from the Reserve Bank of India (RBI).

The process involves submitting an application under the Payment and Settlement Systems Act, 2007, and fulfilling all regulatory requirements.

Step 1: Submit the Registration Application

The applicant needs to fill out and submit Form A to the Chief General Manager of the Department of Payment & Settlement Systems, either at the RBI’s Central Office in Mumbai or any other designated regional RBI office. This is done as per Section 5(1) of the Payment and Settlement Systems (PSS) Act, 2007.

Step 2: RBI Verifies the Details

The RBI will then check and verify all the information and documents submitted by the applicant. It may also conduct further inquiries if needed to ensure everything is genuine and complete.

Step 3: Fulfill RBI Conditions

To get the license, the applicant must meet all the necessary conditions set by the RBI under Section 7 of the PSS Act, 2007. These include operational, technical, and financial compliance requirements.

Step 4: License Issuance by RBI

If the RBI is satisfied with the application and all conditions are met under Section 7(1) of the Act, it will issue the Authorization Certificate in Form B, officially allowing the business to run a payment gateway system.

Step 5: Application Processing Time

As per Section 7(4) of the PSS Act, 2007, the RBI will process and decide on the application within 6 months from the date of submission.

Here is a list of essential documents required to apply for a Payment Gateway License in India:

• Certificate of Incorporation of the company (under the Companies Act, 1956/2013).
• PAN Card of the company.
• Address proof of the registered office (e.g., utility bill, rent agreement).
• KYC documents of all directors and shareholders (Aadhaar, PAN, Passport, etc.).
• Board resolution authorizing the application for the license.
• Memorandum & Articles of Association (MoA & AoA).
• Business plan for the next 5 years.
• Bank account details and a cancelled cheque of the company.
• Code flow diagram and technical system architecture.
• Code testing report from a certified software testing agency.
• PCI DSS compliance certificate.
• Details of payment processing systems and software used.
• Tax registrations (GST, if applicable).
• Net worth certificate issued by a certified Chartered Accountant (Minimum ₹15 crore for new applicants, as per RBI norms).
• Audited financial statements of the company (if available).
• Grievance redressal mechanism and customer service policies.
• Information Security Policy, Risk Management Strategy, and Data Privacy Protocols.

Here are the key requirements you need to know before setting up a payment gateway system in India:

Components of Payment Gateway System

To run a payment gateway smoothly and legally, certain components must be in place:

• Merchant Agreement: A Merchant Agreement is a contract between the business and the payment service provider. It outlines the terms for accepting, authorizing, processing, and settling payments.
• Secure Electronic Transactions (SET): Secure Electronic Transactions are provided by major payment companies like Visa and MasterCard to ensure safe and secure online transactions.

Types of Payment Gateway Providers

Payment gateway services are offered by different types of providers depending on cost, setup, and service level:

• Second-Party Provider: These are payment gateway providers that offer services with a lower Transaction Discount Rate (TDR), but the overall transaction cost is high.
• Third-Party Provider: Also called non-bank payment aggregators, these providers have lower setup costs and charge a TDR of around 2% to 4%, making them more affordable for small businesses.

Before receiving a Certificate of Authorization under Section 7 of the Payment and Settlement Systems Act, 2007, the applicant must meet the following conditions:

• There must be a clear need for the proposed payment service or system that the applicant plans to offer.
• The payment system should follow the technical standards set for its design and operation.
• The system must include proper terms and conditions, including strong security measures for safe operation.
• The method of transferring funds within the payment system should be clearly defined and secure.
• The payment system should have a clear process for settling payment instructions and calculating what each party owes.
• The financial background, industry experience, and honesty of the company’s management will be evaluated.
• There must be clear terms and conditions that define the relationship between customers and the payment provider.
• The system should follow the current credit and monetary policies set by regulatory authorities.
• A specific time frame must be mentioned for getting the authorization.
• Any other factors the RBI considers important will also be taken into account.

Getting a Payment Gateway License in India includes costs like RBI fees, capital requirements, technology setup, compliance, and consultancy charges.

Here's a quick breakdown:

Once a Payment Gateway License is obtained, the license holder must follow several ongoing compliance requirements to maintain the authorization and operate legally:

• Audits & Certification: Conduct regular RBI and PCI DSS-compliant audits and obtain annual certification from a CERT-IN auditor, ensuring timely renewals.
• Data Security Compliance: Continuously comply with PCI DSS and other security protocols to protect customer data.
• Transaction Monitoring: Monitor all transactions for fraud, suspicious activity, and ensure KYC norms are followed.
• Reporting to RBI: Submit regular reports to the Reserve Bank of India, including financials, operational updates, and security incidents.
• Maintain Net Worth: Ensure the company’s net worth stays in line with RBI’s minimum requirements (Rs. 15–25 crores).
• Customer Grievance Redressal: Set up a dedicated system to handle customer complaints and resolve them promptly.
• Disaster Recovery & Backup: Maintain proper data backup systems and disaster recovery plans to ensure business continuity.